From 216fc8f840cb87686be3ef58df1cdf8b8ae21d17 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Thu, 20 Aug 2020 16:42:17 +0200 Subject: [PATCH 1/3] vfs_zfsacl: README.Coding fix BUG: https://bugzilla.samba.org/show_bug.cgi?id=14471 Pair-Programmed-With: Andrew Walker Signed-off-by: Ralph Boehme Signed-off-by: Andrew Walker Reviewed-by: Jeremy Allison (cherry picked from commit a182f2e6cdded739812e209430d340097acc0031) --- source3/modules/vfs_zfsacl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/source3/modules/vfs_zfsacl.c b/source3/modules/vfs_zfsacl.c index c5c4718d6ce..a71cda72697 100644 --- a/source3/modules/vfs_zfsacl.c +++ b/source3/modules/vfs_zfsacl.c @@ -130,8 +130,9 @@ static NTSTATUS zfs_get_nt_acl_common(struct connection_struct *conn, } else { aceprop.flags = 0; } - if(smb_add_ace4(pacl, &aceprop) == NULL) + if (smb_add_ace4(pacl, &aceprop) == NULL) { return NT_STATUS_NO_MEMORY; + } } #ifdef ACE_INHERITED_ACE -- 2.26.2 From ddae1e0a539a4217a7e27ad84e43b9384fa6401b Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Thu, 20 Aug 2020 16:41:36 +0200 Subject: [PATCH 2/3] vfs_zfsacl: use a helper variable in zfs_get_nt_acl_common() No change in behaviour. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14471 Pair-Programmed-With: Andrew Walker Signed-off-by: Ralph Boehme Signed-off-by: Andrew Walker Reviewed-by: Jeremy Allison (cherry picked from commit 13b4f913b06457d8e1f7cf71c85722bbecabd990) --- source3/modules/vfs_zfsacl.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/source3/modules/vfs_zfsacl.c b/source3/modules/vfs_zfsacl.c index a71cda72697..17478ad116e 100644 --- a/source3/modules/vfs_zfsacl.c +++ b/source3/modules/vfs_zfsacl.c @@ -87,6 +87,7 @@ static NTSTATUS zfs_get_nt_acl_common(struct connection_struct *conn, } for(i=0; i Date: Thu, 24 Sep 2020 16:04:12 -0400 Subject: [PATCH 3/3] vfs_zfsacl: only grant DELETE_CHILD if ACL tag is special When ZFS aclmode is set to "passthrough" chmod(2)/fchmod(2) will result in special entries being modified in a way such that delete, delete_child, write_named_attr, write_attribute are stripped from the returned ACL entry, and the kernel / ZFS treats this as having rights equivalent to the desired POSIX mode. Historically, samba has added delete_child to the NFSv4 ACL, but this is only really called for in the case of special entries in this particular circumstance. Alter circumstances in which delete_child is granted so that it only is added to special entries. This preserves the intend post-chmod behavior, but avoids unnecessarily increasing permissions in cases where it's not intended. Further modification of this behavior may be required so that we grant a general read or general write permissions set in case of POSIX read / POSIX write on special entries. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14471 RN: vfs_zfsacl: only grant DELETE_CHILD if ACL tag is special Signed-off-by: Andrew Walker Reviewed-by: Ralph Boehme Reviewed-by: Jeremy Allison (cherry picked from commit c1a37b4f31d5252ce074d41f69e526aa84b0d3b3) --- source3/modules/vfs_zfsacl.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/source3/modules/vfs_zfsacl.c b/source3/modules/vfs_zfsacl.c index 17478ad116e..093eb5111e1 100644 --- a/source3/modules/vfs_zfsacl.c +++ b/source3/modules/vfs_zfsacl.c @@ -112,7 +112,10 @@ static NTSTATUS zfs_get_nt_acl_common(struct connection_struct *conn, special = acebuf[i].a_flags & (ACE_OWNER|ACE_GROUP|ACE_EVERYONE); - if (is_dir && (aceprop.aceMask & SMB_ACE4_ADD_FILE)) { + if (is_dir && + (aceprop.aceMask & SMB_ACE4_ADD_FILE) && + (special != 0)) + { aceprop.aceMask |= SMB_ACE4_DELETE_CHILD; } -- 2.26.2